Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control
The organization ensures that individuals accessing an information system processing, storing, or transmitting information requiring special protection:
(a) Have valid access authorizations that are demonstrated by assigned official government duties; and
(b) Satisfy [FedRAMP Assignment: (M) (H) personnel screening criteria – as required by specific information].
NIST 800-53 (r4) Supplemental Guidance
Supplemental Guidance: Organizational information requiring special protection includes, for example, Controlled Unclassified Information (CUI) and Sources and Methods Information (SAMI). Personnel security criteria include, for example, position sensitivity background screening requirements.
NIST 800-53 (r5) Discussion
Organizational information that requires special protection includes controlled unclassified information. Personnel security criteria include position sensitivity background screening requirements.
Meets Minimum Requirement:
Document any personnel subject to this control
Establish specific personnel screening criteria applied to this personnel pursuant to federal laws or requirements
Satisfy any specific personnel screening criteria and store evidence of satisfaction
Best Practice:
Align approach to account creation processes in the AC control family to streamline operations
Include a specific check in the AC process for unique security / clearance requirements and document satisfaction in the account creation ticketing system
Ensure that individuals subject to this control are aware that additional screening is being applied to them
Unofficial FedRAMP Guidance:
TBD
Assessment Evidence:
Review documentation describing the process for documenting specialized security screening
Inspect evidence that this screening is applied to applicable personnel in personnel files
CSP Implementation Tips:
AWS: TBD
Azure: TBD
GCP: TBD
Page updated
Report abuse